A widespread phishing scam hit Google Docs users yesterday, making their Gmail accounts and contact lists vulnerable to hackers. A phishing attack usually entails attackers trying to retrieve personal information from users through unscrupulous emails disguised as important messages, attempting to provoke unsuspecting users into freely disclosing their personal information. However, this is not what happened with the Google Docs phishing scam.

The attackers used a more sophisticated approach, creating a non-Google web app, which they cleverly named - Google Docs. They then sent out emails to Gmail users asking them to edit a document on Google Docs, which appeared to have been sent by a known contact. Those who clicked on the Google Docs phishing link, were redirected to a real Google sign-in screen and asked to “continue to Docs.” This, then fooled users to grant access and permissions to the malicious Google Docs web app. Below is a snapshot of the permission screen -

If you read carefully, Google does not ask users for such permissions usually. If you were one who received such an email yesterday, you better change all your passwords immediately and warn people in your contacts list. The attackers apparently sends similar spam emails to contacts of users who clicked on the phishing link. Here are some reactions to the attack on Twitter -

@zachlatta@zeynep holy shit, those are not permissions you want to grant. Also I feel like Google shouldn't let a 3rd party service name itself "Google Docs"?
— Sam Biddle (@samfbiddle) May 3, 2017

@zachlatta@zeynep This attack is so obvious for those who have worked with this kind of annoying authentication, I'm surprised no one has done it before.
— Christos Karras (@ckarras) May 3, 2017

The problem that hackers were able to exploit here is that Google allowed them to create a third-party web app named ‘Google Docs’, and also let them work within Google’s system. Here’s what happens when you check the app title for its developer information -

Users who suspect they have been hacked, could go to Google’s Connected Apps and Sites page and revoke permissions granted to the malicious app.

What does Google have to say about all this? Well, the good news is that the company has managed to fix the issue. In a statement to the Verge, Google said, “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.” The company also Tweeted out the following message -

We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
— Gmail (@gmail) May 3, 2017

We still don’t have any information on how many Gmail accounts were compromised in this phishing scam, although, multiple reports indicate this was a “massive” and “large” attack.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit.in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.